CVE-2026-1356 is a Server-Side Request Forgery vulnerability classified under CWE-918 found in the WordPress plugin 'Converter for Media – Optimize images | Convert WebP & AVIF' developed by mateuszgbiorczyk. The vulnerability affects all versions up to and including 6.5.1 and resides in the PassthruLoader::load_image_source function. SSRF vulnerabilities allow attackers to abuse the server as a proxy to send crafted HTTP requests to arbitrary locations, including internal network services that are otherwise inaccessible externally. In this case, unauthenticated attackers can exploit the flaw without any user interaction or privileges, making it easier to attempt exploitation, although the attack complexity is rated high, possibly due to the need to craft specific requests or conditions. The impact includes potential unauthorized information disclosure and modification of internal services, which could lead to further attacks such as lateral movement, data exfiltration, or internal service disruption. The CVSS 3.1 score is 4.8 (medium), reflecting low confidentiality and integrity impacts and no availability impact, with network attack vector and no privileges required. No patches or public exploits are currently available, but the vulnerability is published and should be addressed promptly. The plugin is used in WordPress environments to optimize and convert images to WebP and AVIF formats, which are popular for web performance optimization. The vulnerability's exploitation could undermine the security of internal infrastructure behind the web server hosting the plugin.

The SSRF vulnerability allows attackers to make arbitrary HTTP requests from the vulnerable server, potentially exposing sensitive internal services that are not directly accessible from the internet. This can lead to unauthorized access to internal APIs, metadata services, or databases, enabling attackers to gather sensitive information or manipulate internal systems. Although the CVSS score indicates medium severity, the actual impact depends on the internal network architecture and what services are accessible from the vulnerable server. Organizations with critical internal services behind the WordPress server could face data leakage or unauthorized modifications. Additionally, SSRF can be a stepping stone for more advanced attacks such as privilege escalation or lateral movement within the network. Since the vulnerability requires no authentication or user interaction, it poses a risk to any publicly accessible WordPress site using this plugin. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as exploit code may emerge. Overall, the vulnerability can compromise confidentiality and integrity of internal resources, potentially leading to significant operational and reputational damage.

1. Immediate mitigation involves updating the 'Converter for Media – Optimize images | Convert WebP & AVIF' plugin to a fixed version once released by the vendor. Monitor vendor communications for patch availability. 2. Until a patch is available, restrict outbound HTTP requests from the web server hosting the plugin using firewall rules or web application firewall (WAF) policies to limit access to only trusted external destinations. 3. Implement network segmentation to isolate internal services from the web server, minimizing the impact of SSRF exploitation. 4. Employ strict input validation and sanitization on any user-supplied URLs or parameters processed by the plugin if custom modifications are possible. 5. Monitor web server logs for unusual outbound requests or patterns indicative of SSRF exploitation attempts. 6. Use security plugins or tools that detect and block SSRF attempts in WordPress environments. 7. Conduct internal network scans to identify and secure any sensitive services accessible from the web server. 8. Educate site administrators about the risks and ensure timely updates of all WordPress plugins to reduce exposure to known vulnerabilities.